I very often hear comments like “I don’t like certificates” and realizes that if you are not working with “certs” all day long it might be a hassle to get all the stuff you need in the right place. So I thought I give you some of my experiences with certificates and then a little “how to import” them.
The best way to think of what host names that should be in a cert (for Exchange) is to find out what names you are using for your different services. Below you see a table of all services in Exchange 2013 that could need a certificate.
|Service||Internal URL||External URL|
|Exchange Web Services||cas.mailmasterlab.se||mail.mailmasterlab.se|
|Outlook Web App||cas.mailmasterlab.se||mail.mailmasterlab.se|
|Offline Address Book||cas.mailmasterlab.se||mail.mailmasterlab.se|
|Exchange Control Panel||cas.mailmasterlab.se||mail.mailmasterlab.se|
Sommaren står för dörren och solen skiner! För mig betyder detta semester, sol och självklart Sommarkollo! Sommarkollo är samlingsnamnet på Microsofts seminarier under sommaren för partner och företagskunder, där du kan ta del av nyheter, teknik och annan intressant och användbar information som rör de senaste och hetaste produkterna. Delta på så många seminarier du vill – helt utan kostnad! Sommarkollo kommer till Stockholm, Göteborg och Helsingborg.
Själv kommer jag prata Exchange 2013 i Stockholm i augusti. Min halvdag kommer dels att handla om Exchange 2013 och dess nyheter men jag kommer också att fokusera på vad som är nytt för användarna och hur vi kan göra dem lyckliga, förbered dig på många demo av nya spännande funktioner!
Update: This issue have been fixed in CU2
As part of an Exchange 2013 deployment I used the Exchange Admin Center, EAC, to create a request a new certificate today. The whole process of doing that is described in numerous places on the web (like here) so I wont go into details about that but I will mention a fact that came as a bit of a surprise to me….
After all the “hard work” with getting all namespaces correct the only part left was to enter the details of the customer. In this part you type in information about Organization name, Department, where you are located and so on. Normally this doesn’t present a huge challenge for me but when I for the second time got the request file back from the certificate provider telling me to enter the organization name correct I asked my self if I had gone totally bananas… But as I soon discovered the wizard in Exchange 2013 actually switches two fields… What you enter in “Organization name” will in the request file be presented in “Department name” and vice versa.
So in the example below (picture taken from Digicert link above), “Your Company Inc” would in the request end up in the department feels and “IT” where your organization name should have been.
This error is present in Exchange 2013 RTM and CU1 but the team over in Redmond know about the issue so I expect this to be fixed in future releases.
So what is the real impact of this problem? I would say very little besides the fact that some certificate provider, like my customers today, maybe won’t issue a certificate if the check all the details carefully. Once you have your cert, even if it has the two fields mixed up, it will work just as expected so no huge issue but something to be aware about.
Update: I forgot to mention that this issue won’t happen if you generate your request from Exchange Management Shell! Thanks for the reminder Dave! And while I’m thanking I should say a thank you to TRUSTZONE as well who twice rejected our requests, wouldn’t have seen this other ways.
A few weeks back I posted the ingredients to my new lab server and now I finally got the parts for it. Unfortunately I tried to get my hands on a new SSD, the Crucial M500 960GB , and that turned out to be a bad choice, not that it didn’t work but rather that it couldn’t be shipped so that’s why I had to wait so long. My need for a new lab was huge so I went back to the 500 GB Samsung SSD to get started.
Since this project has gone on for a while and it turned out great I wanted to share some thoughts…
All parts needed for a great lab:
Some time and a glass of wine later…
The power supply I had worked but it could only support one of the two CPU’s so I looked for a new one. My choice was PC Power & Cooling 850W Silencer MK III that I found has scored well in several tests. But I found out that a white power supply really didn’t match the theme of this computer (I promise, you don’t need to tell me that thinking in terms of themes for a computer is geeky, my wife took care of that part!) and repainted it….
So with all parts assembled it now looks like this:
But besides the look (witch you could already tell I’m pretty pleased about) there are some things I wanted to share!
The first thing I’m really (!) pleased about is the remote management capabilities of the mother board I used. It allows me to power on (or off and reset) my lab computer from anywhere in the world witch of course saves power as it doesn’t have to be running al the time. In my previous blog post I had the ASUS ASMB6_IKVM listed separate but it turned out to be included on the mother board, ASUS Z9PA-D8, so I ended up with a spare one… The user interface is simple but I get all the information (like temperatures, voltages and fan speeds) I need.
The second part of why I’m super excited about this machine is all thanks to my friend Mikael Nyström. Thanks to Mikael I can deploy a server or a client in less than a minute. Have a look at his scripts for Hyper-V here. It’s the Zip named NICConf2013-W8-Hyper-V-files. I have made some modifications to the template files and can now deploy almost any configuration of a server without even have to log on to it.
And the absolutely best part of this whole build is that the “server” is so quite! Since I have it in my office at home I wanted it to be really quite and the only fan (running) is the fan for the water cooling. If I put me ear to the case I can hear some “bubbling” noise but from a meter I can’t even tell if it’s on or not. Witch is great working at night as I’m doing right now…
So now when I have a working lab again I promise I will continue my series on how to migrate to Exchange 2013! Stay tuned for part 2!
I just got my hands on 470 pages of Exchange and PowerShell tips and tricks! It’s the second edition of Exchange PowerShell cookbook, the fist one was written by Mike Pfeiffer and on this second edition a fellow Swede Jonas Andersson has updated the book to Exchange 2013.
My expectations are high and I promise to get back to you with a review when I’m done reading but I can already tell that I like the way Jonas has put this together and I’m sure there are plenty of things to be learned even for more experienced administrators.
If you can’t wait to read this book you can order it from PACKT Publishing
So stay tuned for the review!
A great friend and fellow MVP, Anders Olsson, wrote a blog about how users in Outlook Web App get’s logged out after 5 minutes. Since Anders writes in Swedish we thought it would be a good idea to publish it in English as well so here it is.
More and more organizations are upgrading their Exchange solutions to Exchange 2013. Many of these organizations uses a Forefront Threat Management Gateway, TMG, to secure the messaging solution. In most cases this works perfectly well but some have ran into issues with dropped sessions after 5 minutes. This is a known problem when TMG and Exchange 2013 are communicating but it only affects a few customers and we have not yet found the common ground for these issues. Microsoft has not yet released a official fix for this but TMG has a feature that can be used to solve the problem.
Session timeout is normally based on a user choice when logging on. In the Forms based authentication form a user can choose between Public or private computer witch results in 10 or 360 minutes session timeout.
These timeout values can be set via “Advanced Form Options from Forms on each listener in TMG.
Changing the value of these settings has proven not to work for customers with these issues.
The solution to this problem is a feature in TMG called Credential Caching. From Advanced (Authentication Options) on the listener you will find Client Credentials Caching. The feature has a self explanatory name, it caches the credentials for a certain time and the default value is 300 seconds, witch of course is out 5 minutes. By changing this value we can raise the time clients stays logged on.
You should NOT change the timeout value if you don’t experience this specific issue!
More information about how to publish Exchange 2013 with TMG can be found on the Exchange Team blog.
Yes! It’s here! The long awaited and formerly know as Mailbox Server Role Requirements Calculator has been renamed and released! So meet the brand new Exchange 2013 Server Role Requirements Calculator.
As the new name hints this version of the calculator gives you recommendations not only for the mailbox role but both Exchange 2013 roles, Client Access and Mailbox. And even if we no longer have a specific role for transport the calculator factors in that as well since it’s a part of the mailbox role.
I have to admit that I have not yet had time to fully test the function yet but the look it’s the same and I bet Ross and David has done a great job and I will get down to business with the calculator very very soon!
For more information read Released: Exchange 2013 Server Role Requirements Calculator over at The Exchange Team Blog and download the calculator here.